nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Trying to generate rules, but get "No hits for this filter." #548

Closed jaygooby closed 11 months ago

jaygooby commented 3 years ago

I imported my error logs, and I can query stats:

GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.018s]
# example.com 52.89% (total:11775/22264)
...
# Top URI(s) :
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.041s]
# /foo 22.1% (total:2602/11775)

but when I try to generate rules using nxtool.py -c nxapi.json -s example.com -f --filter 'uri /foo' --slack I get:

GET http://127.0.0.1:9200/ [status:200 request:0.006s]
# size :1000
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.024s]
No hits for this filter.

Any idea what I'm doing wrong?

jaygooby commented 3 years ago

Ah, looks like nxtool.py doesn't like being called with a nxapi.json config file that lives outside the path from where nxtool.py is found. Steps to reproduce:

# This example assumes that naxsi has been git cloned to ~/src/naxsi and elastic search has already been
# populated from an error.log
cd ~/src/naxsi

# this will work and output rules
./nxtool.py -c nxapi.json -s example.com -f --filter 'uri /foo' --slack

# this will fail with "No hits for this filter." even though there is a ~/some/project/folder/nxapi.json
cd ~/some/project/folder
~/src/naxsi/nxtool.py -c ~/some/project/folder/nxapi.json -s example.com -f --filter 'uri /foo' --slack

# this will work, because it's pointing at the ~/src/naxsi/nxapi/nxapi.json config file and not at the one
# in ~/some/project/folder
cd ~/some/project/folder
~/src/naxsi/nxtool.py -c ~/src/naxsi/nxapi/nxapi.json -s example.com -f --filter 'uri /foo' --slack
wargio commented 3 years ago

hello, sorry, i didn't notice your issue: that seems to be indeed a bug.

jaygooby commented 3 years ago

I did a bit of print debugging - it's because you either need to have the tpl folder copied to the new location, or you need ensure that the nxapi.json has a full path to the tpl folder. Not sure it's a bug after all - just needs to be a bit clearer about the dependence on the tpl folder

wargio commented 3 years ago

well, a check should be in place to be sure all the needed data/folders are in place.